GET /cas/login HTTP/1.1
...省略..

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Set-Cookie: JSESSIONID=2DA712066025406394C7C644AF16FD18; Path=/cas
Content-Type: text/html;charset=UTF-8
Content-Length: 1993
Date: Wed, 30 Oct 2013 01:53:49 GMT

内容就是登陆表单，省略

<decision-state id="ticketGrantingTicketExistsCheck">
    <if test="flowScope.ticketGrantingTicketId != null" then="hasServiceCheck" else="gatewayRequestCheck" />
</decision-state>

<decision-state id="gatewayRequestCheck">
    <if test="requestParameters.gateway != '' and requestParameters.gateway != null and flowScope.service != null" then="gatewayServicesManagementCheck" else="serviceAuthorizationCheck" />
</decision-state>

<action-state id="serviceAuthorizationCheck">
<evaluate expression="serviceAuthorizationCheck"/>
<transition to="generateLoginTicket"/>
</action-state>

<action-state id="generateLoginTicket">
<evaluate expression="generateLoginTicketAction.generate(flowRequestContext)" />
    <transition on="generated" to="viewLoginForm" />
</action-state>

<view-state id="viewLoginForm" view="casLoginView" model="credentials">
<binder>
    <binding property="username" />
    <binding property="password" />
</binder>
<on-entry>
    <set name="viewScope.commandName" value="'credentials'" />
</on-entry>
    <transition on="submit" bind="true" validate="true" to="realSubmit">
    <evaluate expression="authenticationViaFormAction.doBind(flowRequestContext, flowScope.credentials)" />
</transition>
</view-state>

POST /cas/login;jsessionid=2DA712066025406394C7C644AF16FD18 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
...部分省略...
Cookie: JSESSIONID=2DA712066025406394C7C644AF16FD18

username=admin&password=1&warn=true<=LT-3-Ahdqm03UKMR9vwuy7A5ZSCMa9zJkNi&execution=e1s1&_eventId=submit&x=53&y=55

响应：
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Set-Cookie: CASPRIVACY=true; Path=/cas/; Secure
Set-Cookie: CASTGC=TGT-2-DmMvVs9Wy01ScbnMtgtLzgcyX5X14TGcM1f5iGuWIBrlDwTg4Q-cas01.example.org; Path=/cas/
Content-Type: text/html;charset=UTF-8
Content-Length: 1602
Date: Wed, 30 Oct 2013 01:54:03 GMT

<action-state id="realSubmit">
    <evaluate expression="authenticationViaFormAction.submit(flowRequestContext, flowScope.credentials, messageContext)" />
    <transition on="warn" to="warn" />
    <transition on="success" to="sendTicketGrantingTicket" />
    <transition on="error" to="generateLoginTicket" />
    <transition on="accountDisabled" to="casAccountDisabledView" />
    <transition on="mustChangePassword" to="casMustChangePassView" />
    <transition on="accountLocked" to="casAccountLockedView" />
    <transition on="badHours" to="casBadHoursView" />
    <transition on="badWorkstation" to="casBadWorkstationView" />
    <transition on="passwordExpired" to="casExpiredPassView" />
</action-state>

    public final String submit(final RequestContext context, final Credentials credentials, final MessageContext messageContext) throws Exception {
        // Validate login ticket
        final String authoritativeLoginTicket = WebUtils.getLoginTicketFromFlowScope(context);
        final String providedLoginTicket = WebUtils.getLoginTicketFromRequest(context);
        if (!authoritativeLoginTicket.equals(providedLoginTicket)) {
            this.logger.warn("Invalid login ticket " + providedLoginTicket);
            final String code = "INVALID_TICKET";
            messageContext.addMessage(
                new MessageBuilder().error().code(code).arg(providedLoginTicket).defaultText(code).build());
            return "error";
        }

        final String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(context);
        final Service service = WebUtils.getService(context);
        if (StringUtils.hasText(context.getRequestParameters().get("renew")) && ticketGrantingTicketId != null && service != null) {

            try {
                final String serviceTicketId = this.centralAuthenticationService.grantServiceTicket(ticketGrantingTicketId, service, credentials);
                WebUtils.putServiceTicketInRequestScope(context, serviceTicketId);
                putWarnCookieIfRequestParameterPresent(context);
                return "warn";
            } catch (final TicketException e) {
                if (isCauseAuthenticationException(e)) {
                    populateErrorsInstance(e, messageContext);
                    return getAuthenticationExceptionEventId(e);
                }
                
                this.centralAuthenticationService.destroyTicketGrantingTicket(ticketGrantingTicketId);
                if (logger.isDebugEnabled()) {
                    logger.debug("Attempted to generate a ServiceTicket using renew=true with different credentials", e);
                }
            }
        }

        try {
            WebUtils.putTicketGrantingTicketInRequestScope(context, this.centralAuthenticationService.createTicketGrantingTicket(credentials));
            putWarnCookieIfRequestParameterPresent(context);
            return "success";
        } catch (final TicketException e) {
            populateErrorsInstance(e, messageContext);
            if (isCauseAuthenticationException(e))
                return getAuthenticationExceptionEventId(e);
            return "error";
        }
    }

<action-state id="sendTicketGrantingTicket">
<evaluate expression="sendTicketGrantingTicketAction" />
    <transition to="serviceCheck" />
</action-state>

<!--
    <decision-state id="serviceCheck">
        <if test="flowScope.service != null" then="generateServiceTicket" else="getSubSystemUrl" />
    </decision-state> -->
    <decision-state id="serviceCheck">
        <if test="flowScope.service != null" then="getSubSystemUrl" else="getSubSystemUrl" />
    </decision-state>
    
    <action-state id="generateServiceTicket">
        <evaluate expression="generateServiceTicketAction" />
        <transition on="success" to ="warn" />
        <transition on="error" to="generateLoginTicket" />
        <transition on="gateway" to="gatewayServicesManagementCheck" />
    </action-state>
    
    <action-state id="getSubSystemUrl">
        <evaluate expression="getSubSystemUrlAction.get(flowRequestContext, flowScope.credentials)" />
        <transition to ="viewGenericLoginSuccess" />
    </action-state>

<end-state id="viewGenericLoginSuccess" view="casLoginGenericSuccessView" />

GET /UserManage/ HTTP/1.1

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://10.0.103.137:8080/cas/login?service=http%3A%2F%2F10.0.103.137%3A8080%2FUserManage%2F
Content-Length: 0
Date: Wed, 30 Oct 2013 01:54:22 GMT

<filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
    <!-- CAS login 服务地址-->
    <init-param>
        <param-name>casServerLoginUrl</param-name>
        <param-value>http://10.0.103.137:8080/cas/login</param-value>
    </init-param>
    <!-- 客户端应用服务地址-->
    <init-param>
        <param-name>serverName</param-name>
        <param-value>http://10.0.103.137:8080</param-value>
    </init-param>
    <init-param>
        <param-name>renew</param-name>
        <param-value>false</param-value>
    </init-param>
    <init-param>
        <param-name>gateway</param-name>
        <param-value>false</param-value>
    </init-param>
</filter>

   public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;
        final HttpServletResponse response = (HttpServletResponse) servletResponse;
        final HttpSession session = request.getSession(false);
        final Assertion assertion = session != null ? (Assertion) session.getAttribute(CONST_CAS_ASSERTION) : null;

        if (assertion != null) {
            filterChain.doFilter(request, response);
            return;
        }

        final String serviceUrl = constructServiceUrl(request, response);
        final String ticket = CommonUtils.safeGetParameter(request,getArtifactParameterName());
        final boolean wasGatewayed = this.gatewayStorage.hasGatewayedAlready(request, serviceUrl);

        if (CommonUtils.isNotBlank(ticket) || wasGatewayed) {
            filterChain.doFilter(request, response);
            return;
        }

        final String modifiedServiceUrl;

        log.debug("no ticket and no assertion found");
        if (this.gateway) {
            log.debug("setting gateway attribute in session");
            modifiedServiceUrl = this.gatewayStorage.storeGatewayInformation(request, serviceUrl);
        } else {
            modifiedServiceUrl = serviceUrl;
        }

        if (log.isDebugEnabled()) {
            log.debug("Constructed service url: " + modifiedServiceUrl);
        }

        final String urlToRedirectTo = CommonUtils.constructRedirectUrl(this.casServerLoginUrl, getServiceParameterName(), modifiedServiceUrl, this.renew, this.gateway);

        if (log.isDebugEnabled()) {
            log.debug("redirecting to \"" + urlToRedirectTo + "\"");
        }

        response.sendRedirect(urlToRedirectTo);
    }

GET /cas/login?service=http%3A%2F%2F10.0.103.137%3A8080%2FUserManage%2F HTTP/1.1
Cookie: CASTGC=TGT-2-DmMvVs9Wy01ScbnMtgtLzgcyX5X14TGcM1f5iGuWIBrlDwTg4Q-cas01.example.org; JSESSIONID=2DA712066025406394C7C644AF16FD18

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Location: http://10.0.103.137:8080/UserManage/?ticket=ST-1-0dnlMstfctMYVcat5wfy-cas01.example.org
Content-Length: 0
Date: Wed, 30 Oct 2013 01:54:22 GMT

<decision-state id="ticketGrantingTicketExistsCheck">
    <if test="flowScope.ticketGrantingTicketId != null" then="hasServiceCheck" else="gatewayRequestCheck" />
</decision-state>

<decision-state id="hasServiceCheck">
    <if test="flowScope.service != null" then="renewRequestCheck" else="getSubSystemUrl" />
</decision-state>

<decision-state id="renewRequestCheck">
    <if test="requestParameters.renew != '' and requestParameters.renew != null" then="serviceAuthorizationCheck" else="generateServiceTicket" />
</decision-state>

<action-state id="generateServiceTicket">
    <evaluate expression="generateServiceTicketAction" />
    <transition on="success" to ="warn" />
    <transition on="error" to="generateLoginTicket" />
    <transition on="gateway" to="gatewayServicesManagementCheck" />
</action-state>

protected Event doExecute(final RequestContext context) {
        final Service service = WebUtils.getService(context);
        final String ticketGrantingTicket = WebUtils.getTicketGrantingTicketId(context);

        try {
            final String serviceTicketId = this.centralAuthenticationService
                .grantServiceTicket(ticketGrantingTicket,
                    service);
            WebUtils.putServiceTicketInRequestScope(context,
                serviceTicketId);
            return success();
        } catch (final TicketException e) {
            if (isGatewayPresent(context)) {
                return result("gateway");
            }
        }

        return error();
    }

<decision-state id="warn">
    <if test="flowScope.warnCookieValue" then="showWarningView" else="redirect" />
</decision-state>

<action-state id="redirect">
    <evaluate expression="flowScope.service.getResponse(requestScope.serviceTicketId)" result-type="org.jasig.cas.authentication.principal.Response" result="requestScope.response" />
    <transition to="postRedirectDecision" />
</action-state>

<decision-state id="postRedirectDecision">
    <if test="requestScope.response.responseType.name() == 'POST'" then="postView" else="redirectView" />
</decision-state>

<end-state id="redirectView" view="externalRedirect:${requestScope.response.url}" />

GET /UserManage/?ticket=ST-1-0dnlMstfctMYVcat5wfy-cas01.example.org HTTP/1.1

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3A8260292C0430806E231B0E76907137; Path=/UserManage
Location: http://10.0.103.137:8080/UserManage/;jsessionid=3A8260292C0430806E231B0E76907137
Content-Length: 0
Date: Wed, 30 Oct 2013 01:54:24 GMT

<filter>
    <filter-name>CAS Validation Filter</filter-name>
    <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
    <init-param>
        <param-name>casServerUrlPrefix</param-name>
        <param-value>http://10.0.103.137:8080/cas/</param-value>
    </init-param>
    <!-- 客户端应用服务地址-->
    <init-param>
        <param-name>serverName</param-name>
        <param-value>http://10.0.103.137:8080</param-value>
    </init-param>
</filter>

    public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {

        if (!preFilter(servletRequest, servletResponse, filterChain)) {
            return;
        }

        final HttpServletRequest request = (HttpServletRequest) servletRequest;
        final HttpServletResponse response = (HttpServletResponse) servletResponse;
        final String ticket = CommonUtils.safeGetParameter(request, getArtifactParameterName());

        if (CommonUtils.isNotBlank(ticket)) {
            if (log.isDebugEnabled()) {
                log.debug("Attempting to validate ticket: " + ticket);
            }

            try {
                final Assertion assertion = this.ticketValidator.validate(ticket, constructServiceUrl(request, response));

                if (log.isDebugEnabled()) {
                    log.debug("Successfully authenticated user: " + assertion.getPrincipal().getName());
                }

                request.setAttribute(CONST_CAS_ASSERTION, assertion);

                if (this.useSession) {
                    request.getSession().setAttribute(CONST_CAS_ASSERTION, assertion);
                }
                onSuccessfulValidation(request, response, assertion);

                if (this.redirectAfterValidation) {
                    log. debug("Redirecting after successful ticket validation.");
                    response.sendRedirect(constructServiceUrl(request, response));
                    return;
                }
            } catch (final TicketValidationException e) {
                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
                log.warn(e, e);

                onFailedValidation(request, response);

                if (this.exceptionOnValidationFailure) {
                    throw new ServletException(e);
                }

                return;
            }
        }

        filterChain.doFilter(request, response);

    }

        final String validationUrl = constructValidationUrl(ticket, service);
        if (log.isDebugEnabled()) {
            log.debug("Constructing validation url: " + validationUrl);
        }

        try {
            log.debug("Retrieving response from server.");
            final String serverResponse = retrieveResponseFromServer(new URL(validationUrl), ticket);

            if (serverResponse == null) {
                throw new TicketValidationException("The CAS server returned no response.");
            }
            
            if (log.isDebugEnabled()) {
                log.debug("Server response: " + serverResponse);
            }

            return parseResponseFromServer(serverResponse);
        } catch (final MalformedURLException e) {
            throw new TicketValidationException(e);
        }

protected final String retrieveResponseFromServer(final URL validationUrl, final String ticket) {
        if (this.hostnameVerifier != null) {
            return CommonUtils.getResponseFromServer(validationUrl, this.hostnameVerifier, getEncoding());
        } else {
            return CommonUtils.getResponseFromServer(validationUrl, getEncoding());
        }
    }

    public static String getResponseFromServer(final URL constructedUrl, final HostnameVerifier hostnameVerifier, final String encoding) {
        URLConnection conn = null;
        try {
            conn = constructedUrl.openConnection();
            if (conn instanceof HttpsURLConnection) {
                ((HttpsURLConnection)conn).setHostnameVerifier(hostnameVerifier);
            }
            final BufferedReader in;

            if (CommonUtils.isEmpty(encoding)) {
                in = new BufferedReader(new InputStreamReader(conn.getInputStream()));
            } else {
                in = new BufferedReader(new InputStreamReader(conn.getInputStream(), encoding));
            }

            String line;
            final StringBuilder stringBuffer = new StringBuilder(255);

            while ((line = in.readLine()) != null) {
                stringBuffer.append(line);
                stringBuffer.append("\n");
            }
            return stringBuffer.toString();
        } catch (final Exception e) {
            LOG.error(e.getMessage(), e);
            throw new RuntimeException(e);
        } finally {
            if (conn != null && conn instanceof HttpURLConnection) {
                ((HttpURLConnection)conn).disconnect();
            }
        }

    }

GET /cas/serviceValidate?ticket=ST-1-0dnlMstfctMYVcat5wfy-cas01.example.org&service=http%3A%2F%2F10.0.103.137%3A8080%2FUserManage%2F%3Bjsessionid%3D3A8260292C0430806E231B0E76907137 HTTP/1.1
User-Agent: Java/1.6.0_26

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Language: zh-CN
Content-Length: 177
Date: Wed, 30 Oct 2013 01:54:24 GMT

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationSuccess>
        <cas:user>admin</cas:user>
    </cas:authenticationSuccess>
</cas:serviceResponse>

<servlet>
    <servlet-name>cas</servlet-name>
    <servlet-class>
      org.jasig.cas.web.init.SafeDispatcherServlet
    </servlet-class>
</servlet>

 <bean
      id="handlerMappingC"
      class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
    <property name="mappings">
      <props>
        <prop key="/logout">logoutController</prop>
        <prop key="/serviceValidate">serviceValidateController</prop>

    @NotNull
    private TicketRegistry ticketRegistry;

    /** New Ticket Registry for storing and retrieving services tickets. Can point to the same one as the ticketRegistry variable. */
    @NotNull
    private TicketRegistry serviceTicketRegistry;

final ServiceTicket serviceTicket = (ServiceTicket) this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

final List<Authentication> chainedAuthenticationsList = serviceTicket.getGrantingTicket().getChainedAuthentications();
final Authentication authentication = chainedAuthenticationsList.get(chainedAuthenticationsList.size() - 1);
final Principal principal = authentication.getPrincipal();

GET /UserManage/;jsessionid=3A8260292C0430806E231B0E76907137 HTTP/1.1
Cookie: JSESSIONID=3A8260292C0430806E231B0E76907137

   public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;
        final HttpServletResponse response = (HttpServletResponse) servletResponse;
        final HttpSession session = request.getSession(false);
        final Assertion assertion = session != null ? (Assertion) session.getAttribute(CONST_CAS_ASSERTION) : null;

        if (assertion != null) {
            filterChain.doFilter(request, response);
            return;
        }
.....

GET /cas/logout HTTP/1.1
Cookie: CASTGC=TGT-2-DmMvVs9Wy01ScbnMtgtLzgcyX5X14TGcM1f5iGuWIBrlDwTg4Q-cas01.example.org; JSESSIONID=0F5355FE89E099FF14E149CF9C55644C

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Set-Cookie: CASTGC=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/cas/
Set-Cookie: CASPRIVACY=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/cas/
Set-Cookie: JSESSIONID=6DA0ACAEBA3A801CB897E98CE5E92AFC; Path=/cas
Content-Type: text/html;charset=UTF-8
Content-Language: zh-CN
Content-Length: 728
Date: Wed, 30 Oct 2013 03:31:39 GMT

POST /UserManage/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.6.0_26
Host: 10.0.103.137:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 484

logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-2-0EQR24uNI0TlMr52CzUYMuf1fOAsQg1O447%22+Version%3D%222.0%22+IssueInstant%3D%222013-10-30T11%3A31%3A39Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-2-nfx6OgRedoAMqowQayXr-cas01.example.org%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Wed, 30 Oct 2013 03:31:39 GMT

public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;

        if (handler.isTokenRequest(request)) {
            handler.recordSession(request);
        } else if (handler.isLogoutRequest(request)) {
            handler.destroySession(request);
            // Do not continue up filter chain
            return;
        } else {
            log.trace("Ignoring URI " + request.getRequestURI());
        }

        filterChain.doFilter(servletRequest, servletResponse);
    }

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Set-Cookie: JSESSIONID=3911117B64346B50E24F36632C2419D7; Path=/cas
Location: http://10.0.103.137:8080/cas/login
Content-Length: 0
Date: Wed, 30 Oct 2013 03:37:07 GMT